Academic Commons Search Resultshttps://academiccommons.columbia.edu/catalog?action=index&controller=catalog&f%5Bauthor_facet%5D%5B%5D=Cui%2C+Ang&f%5Bpub_date_facet%5D%5B%5D=2011&format=rss&fq%5B%5D=has_model_ssim%3A%22info%3Afedora%2Fldpd%3AContentAggregator%22&q=&rows=500&sort=record_creation_date+desc
Academic Commons Search Resultsen-usSymbiotes and defensive Mutualism: Moving Target Defensehttps://academiccommons.columbia.edu/catalog/ac:198976
Cui, Ang; Stolfo, Salvatorehttp://dx.doi.org/10.7916/D8DN4537Mon, 16 May 2016 15:54:11 +0000If we wish to break the continual cycle of patching and replacing our core monoculture systems to defend against attacker evasion tactics, we must redesign the way systems are deployed so that the attacker can no longer glean the information about one system that allows attacking any other like system. Hence, a new poly-culture architecture that provides complete uniqueness for each distinct device would thwart many remote attacks (except perhaps for insider attacks). We believe a new security paradigm based on perpetual mutation and diversity, driven by symbiotic defensive mutualism can fundamentally change the ‘cat and mouse’ dynamic which has impeded the development of truly effective security mechanism to date. We propose this new ‘clean slate design’ principle and conjecture that this defensive strategy can also be applied to legacy systems widely deployed today. Fundamentally, the technique diversifies the defensive system of the protected host system thwarting attacks against defenses commonly executed by modern malware.Computer science, Computer system security, Computer software--Design and construction, Computer programmingac2024, sjs11Computer ScienceBook chaptersFrom Prey to Hunter: Transforming Legacy Embedded Devices into Exploitation Sensor Gridshttps://academiccommons.columbia.edu/catalog/ac:153316
Cui, Ang; Kataria, Jatin; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:14912Fri, 12 Oct 2012 13:58:57 +0000Our global communication infrastructures are powered by large numbers of legacy embedded devices. Recent advances in offensive technologies targeting embedded systems have shown that the stealthy exploitation of high-value embedded devices such as router and firewalls is indeed feasible. However, little to no host-based defensive technology is available to monitor and protect these devices, leaving large numbers of critical devices defenseless against exploitation. We devised a method of augmenting legacy embedded devices, like Cisco routers, with host-based defenses in order to create a stealthy, embedded sensor-grid capable of monitoring and capturing real-world attacks against the devices which constitute the bulk of the Internet substrate. Using a software mechanism which we call the Symbiote, a white-list based code modification detector is automatically injected in situ into Cisco IOS, producing a fully functional router firmware capable of detecting and capturing successful attacks against itself for analysis. Using the Symbiote-protected router as the main component, we designed a sensor system which requires no modification to existing hardware, fully preserves the functionality of the original firmware, and detects unauthorized modification of memory within 450 ms. We believe that it is feasible to use the techniques described in this paper to inject monitoring and defensive capability into existing routers to create an early attack warning system to protect the Internet substrate.Computer scienceac2024, jk3319, sjs11Computer ScienceArticlesPrint Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malwarehttps://academiccommons.columbia.edu/catalog/ac:153274
Cui, Ang; Voris, Jonathan A.http://hdl.handle.net/10022/AC:P:14902Thu, 11 Oct 2012 15:46:21 +0000Network printers are ubiquitous fixtures within the modern IT infrastructure. Residing within sensitive networks and lacking in security, these devices represent high-value targets that can theoretically be used not only to manipulate and exfiltrate the sensitive information such as network credentials and sensitive documents, but also as fully functional general-purpose bot-nodes which give attackers a stealthy, persistent foothold inside the victim network for further recognizance, exploitation and exfiltration.Computer scienceac2024, jv2428Computer SciencePresentationsPrint Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malwarehttps://academiccommons.columbia.edu/catalog/ac:153271
Cui, Ang; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:14897Thu, 11 Oct 2012 15:19:32 +0000Network printers are ubiquitous fixtures within the modern IT infrastructure. Residing within sensitive networks and lacking in security, these devices represent high-value targets that can theoretically be used not only to manipulate and exfiltrate the sensitive information such as network credentials and sensitive documents, but also as fully functional general-purpose bot-nodes which give attackers a stealthy, persistent foothold inside the victim network for further recognizance, exploitation and exfiltration.Computer scienceac2024, sjs11Computer SciencePresentationsReflections on the Engineering and Operation of a Large-Scale Embedded Device Vulnerability Scannerhttps://academiccommons.columbia.edu/catalog/ac:153210
Cui, Ang; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:14879Wed, 10 Oct 2012 15:48:55 +0000We present important lessons learned from the engineering and operation of a large-scale embedded device vulnerability scanner infrastructure. Developed and refined over the period of one year, our vulnerability scanner monitored large portions of the Internet and was able to identify over 1.1 million publicly accessible trivially vulnerable embedded devices. The data collected has helped us move beyond vague, anecdotal suspicions of embedded insecurity towards a realistic quantitative understanding of the current threat. In this paper, we describe our experimental methodology and reflect on key technical, organizational and social challenges encountered during our research. We also discuss several key technical design missteps and operational failures and their solutions.Computer science, Web studiesac2024, sjs11Computer ScienceArticlesKilling the Myth of Cisco IOS Diversity: Recent Advances in Reliable Shellcode Designhttps://academiccommons.columbia.edu/catalog/ac:142658
Cui, Ang; Kataria, Jatin; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:12019Fri, 16 Dec 2011 15:43:45 +0000IOS firmware diversity, the unintended consequence of a complex firmware compilation process, has historically made reliable exploitation of Cisco routers difficult. With approximately 300,000 unique IOS images in existence, a new class of version-agnostic shellcode is needed in order to make the large-scale exploitation of Cisco IOS possible. We show that such attacks are now feasible by demonstrating two different reliable shellcodes which will operate correctly over many Cisco hardware platforms and all known IOS versions. We propose a novel two-phase attack strategy against Cisco routers and the use of offline analysis of existing IOS images to defeat IOS firmware diversity. Furthermore, we discuss a new IOS rootkit which hijacks all interrupt service routines within the router and its ability to use intercept and modify process-switched packets just before they are scheduled for transmission. This ability allows the attacker to use the payload of innocuous packets, like ICMP, as a covert command and control channel. The same mechanism can be used to stealthily exfiltrate data out of the router, using response packets generated by the router itself as the vehicle. We present the implementation and quantitative reliability measurements by testing both shellcode algorithms against a large collection of IOS images. As our experimental results show, the techniques proposed in this paper can reliably inject command and control capabilities into arbitrary IOS images in a version-agnostic manner. We believe that the technique presented in this paper overcomes an important hurdle in the large-scale, reliable rootkit execution within Cisco IOS. Thus, effective host-based defense for such routers is imperative for maintaining the integrity of our global communication infrastructures.Computer scienceac2024, jk3319, sjs11Computer ScienceArticlesDefending Embedded Systems with Software Symbioteshttps://academiccommons.columbia.edu/catalog/ac:142644
Cui, Ang; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:12013Fri, 16 Dec 2011 14:03:04 +0000A large number of embedded devices on the internet, such as routers and VOIP phones, are typically ripe for exploitation. Little to no defensive technology, such as AV scanners or IDS's, are available to protect these devices. We propose a host-based defense mechanism, which we call Symbiotic Embedded Machines (SEM), that is specifically designed to inject intrusion detection functionality into the firmware of the device. A SEM or simply the Symbiote, may be injected into deployed legacy embedded systems with no disruption to the operation of the device. A Symbiote is a code structure embedded in situ into the firmware of an embedded system. The Symbiote can tightly co-exist with arbitrary host executables in a mutually defensive arrangement, sharing computational resources with its host while simultaneously protecting the host against exploitation and unauthorized modification. The Symbiote is stealthily embedded in a randomized fashion within an arbitrary body of firmware to protect itself from removal. We demonstrate the operation of a generic whitelist-based rootkit detector Symbiote injected in situ into Cisco IOS with negligible performance penalty and without impacting the routers functionality. We present the performance overhead of a Symbiote on physical Cisco router hardware. A MIPS implementation of the Symbiote was ported to ARM and injected into a Linux 2.4 kernel, allowing the Symbiote to operate within Android and other mobile computing devices. The use of Symbiotes represents a practical and effective protection mechanism for a wide range of devices, especially widely deployed, unprotected, legacy embedded devices.Computer scienceac2024, sjs11Computer ScienceArticlesConcurrency Attackshttps://academiccommons.columbia.edu/catalog/ac:135489
Yang, Junfeng; Cui, Ang; Gallagher, John Martin; Stolfo, Salvatore; Sethumadhavan, Lakshminarasimhanhttp://hdl.handle.net/10022/AC:P:10681Mon, 11 Jul 2011 12:16:48 +0000Just as errors in sequential programs can lead to security exploits, errors in concurrent programs can lead to concurrency attacks. In this paper, we present an in-depth study of concurrency attacks and how they may affect existing defenses. Our study yields several interesting findings. For instance, we find that concurrency attacks can corrupt non-pointer data, such as user identifiers, which existing memory-safety defenses cannot handle. Inspired by our findings, we propose new defense directions and fixes to existing defenses.Computer sciencejy2324, ac2024, jmg2016, sjs11, ss3418Computer ScienceTechnical reports